play.modules {
enabled += "play.filters.csrf.CSRFModule"
enabled += "play.filters.cors.CORSModule"
enabled += "play.filters.headers.SecurityHeadersModule"
enabled += "play.filters.hosts.AllowedHostsModule"
enabled += "play.filters.gzip.GzipFilterModule"
enabled += "play.filters.https.RedirectHttpsModule"
}
play.filters {
# Default list of enabled filters, configured by play.api.http.EnabledFilters
enabled += play.filters.csrf.CSRFFilter
enabled += play.filters.headers.SecurityHeadersFilter
enabled += play.filters.hosts.AllowedHostsFilter
# CSRF config
csrf {
# Token configuration
token {
# The token name
name = "csrfToken"
# Whether tokens should be signed or not
sign = true
}
# Cookie configuration
cookie {
# If non null, the CSRF token will be placed in a cookie with this name
name = null
# Whether the cookie should be set to secure
secure = ${play.http.session.secure}
# Whether the cookie should have the HTTP only flag set
httpOnly = false
}
# How much of the body should be buffered when looking for the token in the request body
body.bufferSize = ${play.http.parser.maxMemoryBuffer}
# Bypass the CSRF check if this origin is trusted by the CORS filter
bypassCorsTrustedOrigins = true
# Header configuration
header {
# The name of the header to accept CSRF tokens from.
name = "Csrf-Token"
# Defines headers that must be present to perform the CSRF check. If any of these headers are present, the CSRF
# check will be performed.
#
# By default, we only perform the CSRF check if there are Cookies or an Authorization header.
# Generally, CSRF attacks use a user's browser to execute requests on the client's behalf. If the user does not
# have an active session, there is no danger of this happening.
#
# Setting this to null or an empty object will protect all requests.
protectHeaders {
Cookie = "*"
Authorization = "*"
}
# Defines headers that can be used to bypass the CSRF check if any are present. A value of "*" simply
# checks for the presence of the header. A string value checks for a match on that string.
bypassHeaders {}
}
# Method lists
method {
# If non empty, then requests will be checked if the method is not in this list.
whiteList = ["GET", "HEAD", "OPTIONS"]
# The black list is only used if the white list is empty.
# Only check methods in this list.
blackList = []
}
# Content type lists
# If both white lists and black lists are empty, then all content types are checked.
contentType {
# If non empty, then requests will be checked if the content type is not in this list.
whiteList = []
# The black list is only used if the white list is empty.
# Only check content types in this list.
blackList = []
}
routeModifiers {
# If non empty, then requests will be checked if the route does not have this modifier. This is how we enable the
# nocsrf modifier, but you may choose to use a different modifier (such as "api") if you plan to check the
# modifier in your code for other purposes.
whiteList = ["nocsrf"]
# If non empty, then requests will be checked if the route contains this modifier
# The black list is used only if the white list is empty
blackList = []
}
# The error handler.
# Used by Play's built in DI support to locate and bind a request handler. Must be one of the following:
# - A FQCN that implements play.filters.csrf.CSRF.ErrorHandler (Scala).
# - A FQCN that implements play.filters.csrf.CSRFErrorHandler (Java).
# - provided, indicates that the application has bound an instance of play.filters.csrf.CSRF.ErrorHandler through some
# other mechanism.
# If null, will attempt to load a class called CSRFErrorHandler in the root package, otherwise if that's
# not found, will default to play.filters.csrf.CSRF.CSRFHttpErrorHandler, which delegates to the configured
# HttpRequestHandler.
errorHandler = null
}
# Security headers filter configuration
headers {
# The X-Frame-Options header. If null, the header is not set.
frameOptions = "DENY"
# The X-XSS-Protection header. If null, the header is not set.
xssProtection = "1; mode=block"
# The X-Content-Type-Options header. If null, the header is not set.
contentTypeOptions = "nosniff"
# The X-Permitted-Cross-Domain-Policies header. If null, the header is not set.
permittedCrossDomainPolicies = "master-only"
# The Content-Security-Policy header. If null, the header is not set.
contentSecurityPolicy = "default-src 'self'"
# The Referrer-Policy header. If null, the header is not set.
referrerPolicy = "origin-when-cross-origin, strict-origin-when-cross-origin"
# If true, allow an action to use .withHeaders to replace one or more of the above headers
allowActionSpecificHeaders = false
}
# Allowed hosts filter configuration
hosts {
# A list of valid hosts (e.g. "example.com") or suffixes of valid hosts (e.g. ".example.com")
# Note that ".example.com" will match example.com and any subdomain of example.com, with or without a trailing dot.
# "." matches all domains, and "" matches an empty or nonexistent host.
allowed = ["localhost", ".local"]
}
# CORS filter configuration
cors {
# The path prefixes to filter.
pathPrefixes = ["/"]
# The allowed origins. If null, all origins are allowed.
allowedOrigins = null
# The allowed HTTP methods. If null, all methods are allowed
allowedHttpMethods = null
# The allowed HTTP headers. If null, all headers are allowed.
allowedHttpHeaders = null
# The exposed headers
exposedHeaders = []
# Whether to support credentials
supportsCredentials = true
# The maximum amount of time the CORS meta data should be cached by the client
preflightMaxAge = 1 hour
# Whether to serve forbidden origins as non-CORS requests
serveForbiddenOrigins = false
}
# GZip filter configuration
gzip {
# The buffer size to use for gzipped bytes
bufferSize = 8k
# The maximum amount of content to buffer for gzipping in order to calculate the content length before falling back
# to chunked encoding.
chunkedThreshold = 100k
contentType {
# If non empty, then a response will only be compressed if its content type is in this list.
whiteList = []
# The black list is only used if the white list is empty.
# Compress all responses except the ones whose content type is in this list.
blackList = []
}
}
# Configuration for redirection to HTTPS and Strict-Transport-Security
https {
# A boolean defining whether the redirect to HTTPS is enabled.
# A value of null means enabled only in Prod mode, but disabled in Dev/Test.
redirectEnabled = null
# The Strict-Transport-Security header is used to signal to browsers to always use https.
# This header is added whenever the filter makes the redirect.
# Set to null to disable the header.
strictTransportSecurity = "max-age=31536000; includeSubDomains"
# Configures the redirect status code used if the request is not secure.
# By default, uses HTTP status code 308, which is a permanent redirect that does
# not change the HTTP method according to [RFC 7238](https://tools.ietf.org/html/rfc7538).
redirectStatusCode = 308
# The HTTPS port to use in the Redirect's Location URL.
# e.g. port = 9443 results in https://playframework.com:9443/some/url
port = null
port = ${?play.server.https.port} # default to same HTTPS port as play server
port = ${?https.port} # read https.port system property if provided explicitly
}
}